Check: ENS-TP-000207
Trellix ENS 10.x STIG:
ENS-TP-000207
(in versions v2 r14 through v2 r5)
Title
(U) The Trellix ENS Threat Prevention On-Access Scan must be configured to disable the scan of trusted installers. (Cat II impact)
Discussion
(U) Trusted installers are MSI files installed by msiexec.exe and signed by Trellix or Microsoft. Disabling the real-time scan of these files is a low risk and the performance gain is relatively great.
Check Content
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify On-Access Scan >> "Scan trusted installers" is not selected. If On-Access Scan >> "Scan trusted installers" is selected, this is a finding.
Fix Text
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Deselect the On-Access Scan >> "Scan trusted installers" option. Click "Save".
Additional Identifiers
Rule ID: SV-228241r944466_rule
Vulnerability ID: V-228241
Group Title: SRG-APP-000278
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
Controls
| Number | Title |
|---|---|
| SI-3 |
Malicious Code Protection |